From: bokr@bokr.com
To: 55361@debbugs.gnu.org, ludo@gnu.org
Subject: bug#55361: [Installer] Extra unprivileged “root” account added
Date: Sat, 21 May 2022 14:54:34 +0200 [thread overview]
Message-ID: <20220521125434.GA2334@LionPure> (raw)
In-Reply-To: <87h75jvodh.fsf@gnu.org>
Hello,
On +2022-05-21 00:19:06 +0200, Ludovic Courtès wrote:
> Ludovic Courtès <ludo@gnu.org> skribis:
>
> > The installer built from:
> >
> > Generation 214 May 02 2022 21:44:14 (current)
> > guix 6b588da
> > repository URL: https://git.savannah.gnu.org/git/guix.git
> > branch: master
> > commit: 6b588da368c77cde82ea2f22ca315116228777ad
> >
> > … adds an unprivileged “root” account to the ‘users’ section of the OS
> > config.
>
> Fixed in 48c748226e2a94d2dec9bfdf84601455f00d6f5e, which reverts
> c2125e59d0774cda3e559adeb056459a5f23586b.
>
> Ludo’.
>
>
>
--8<---------------cut here---------------start------------->8---
commit c2125e59d0774cda3e559adeb056459a5f23586b
Author: Mathieu Othacehe <othacehe@gnu.org>
Date: Mon Apr 4 16:38:09 2022 +0200
installer: user: Remove useless filtering.
--8<---------------cut here---------------end--------------->8---
--8<---------------cut here---------------start------------->8---
commit 48c748226e2a94d2dec9bfdf84601455f00d6f5e
Author: Ludovic Courtès <ludo@gnu.org>
Date: Fri May 20 20:41:02 2022 +0200
Revert "installer: user: Remove useless filtering."
This reverts commit c2125e59d0774cda3e559adeb056459a5f23586b.
Fixes <https://issues.guix.gnu.org/55361>.
--8<---------------cut here---------------end--------------->8---
Assuming my date-diff hack worked:
--8<---------------cut here---------------start------------->8---
~/wb/guix]$ date-diff '2022-04-04 16:38:09' '2022-05-20 20:41:02'
46days 4hrs 2min 53sec
--8<---------------cut here---------------end--------------->8---
Is this like coming home from 46day vacation and noticing
that, oops, someone left the kitchen door open,
and hoping no ++ungoodniks noticed? Or meh?
Is. or should there be, a required signoff on an
exploitability assessment in the commit, when it
has that scent? (e.g. anything possibly opening
a door to root privilges).
Personally, I am happy to see "fixed," but I would be happier
seeing a signed exploitability assessment, esp if by someone
concentrating on that aspect of things.
Thoughts?
--
Regards,
Bengt Richter
next prev parent reply other threads:[~2022-05-21 12:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-11 9:36 bug#55361: [Installer] Extra unprivileged “root” account added Ludovic Courtès
2022-05-20 22:19 ` Ludovic Courtès
2022-05-21 12:54 ` bokr [this message]
2022-05-21 13:34 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2022-05-21 16:51 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220521125434.GA2334@LionPure \
--to=bokr@bokr.com \
--cc=55361@debbugs.gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.